PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-20240 Splunk CVE debrief

CVE-2026-20240 was publicly published on 2026-05-20. According to the CVE description and NVD metadata, a low-privileged user who is not in the Splunk admin or power roles could cause a denial of service in affected Splunk Enterprise and Splunk Cloud Platform versions by abusing the coldToFrozen.sh script in the splunk_archiver app. The issue stems from missing input validation that allows arbitrary path handling and renaming of critical Splunk directories, which can leave the instance non-functional. The available NVD record rates the issue as CVSS 3.1 6.5/10 (MEDIUM) with availability impact only. For defenders, the main concern is service disruption on production Splunk instances where non-administrative users can reach the affected workflow.

Vendor
Splunk
Product
Splunk Enterprise
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-21
Advisory published
2026-05-20
Advisory updated
2026-05-21

Who should care

Splunk Enterprise and Splunk Cloud Platform administrators, platform owners, and security teams responsible for role management, app configuration, and availability of Splunk services. Multi-user environments where non-admin users can interact with Splunk workflows should treat this as a higher operational risk.

Technical summary

The CVE describes a denial-of-service condition in Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129. A low-privileged user without admin or power roles can exploit missing input validation in coldToFrozen.sh within the splunk_archiver app to rename critical directories. The likely result is loss of service availability rather than confidentiality or integrity impact. NVD records the weakness as CWE-20 and the attack vector as network-accessible, low-complexity, low-privilege, no-user-interaction, availability-only impact.

Defensive priority

Medium overall; prioritize as high operational risk on production Splunk deployments where availability is critical.

Recommended defensive actions

  • Upgrade Splunk Enterprise to 10.2.2, 10.0.5, 9.4.11, or 9.3.12, depending on your release line.
  • Upgrade Splunk Cloud Platform to 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, or 9.3.2411.129, depending on your deployment line.
  • Review Splunk role assignments and confirm that only intended users can reach workflows that invoke the splunk_archiver app and coldToFrozen.sh.
  • Monitor affected Splunk systems for unexpected service interruptions or directory-renaming activity tied to archiver operations.
  • Validate recovery procedures and backups so an availability event in Splunk can be restored quickly.

Evidence notes

This debrief is based only on the supplied CVE description, the NVD metadata, and the official Splunk advisory reference URL included in the source corpus. The source data provides the fixed versions, the affected components, the low-privilege condition, the missing input-validation root cause, the CWE-20 classification, and the CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The full advisory text was not provided in the corpus, so no additional product or exploitation details are asserted beyond the supplied record.

Official resources

Public disclosure context should be anchored to the CVE publication time in the source data: 2026-05-20T18:16:26.637Z. Do not treat generation or review time as the issue date.